The White House on February 23 released its long-awaited white paper on online privacy, proposing a "Consumer Privacy Bill of Rights." Based on a report from the Department of Commerce, on which MRA filed comments in January 2011, the paper proposes a variety of expectations and demands of how companies should treat consumers online and outlines a process to achieve them, including stakeholder meetings to encourage and pressure private entities to enact "codes of conduct" in accordance with the White House’s concerns.
In introducing the paper, President Obama said: "I am pleased to present this new Consumer Privacy Bill of Rights as a blueprint for privacy in the information age. These rights give consumers clear guidance on what they should expect from those who handle their personal information, and set expectations for companies that use personal data. I call on these companies to begin immediately working with privacy advocates, consumer protection enforcement agencies, and others to implement these principles in enforceable codes of conduct. My Administration will work to advance these principles and work with Congress to put them into law. With this Consumer Privacy Bill of Rights, we offer to the world a dynamic model of how to offer strong privacy protection and enable ongoing innovation in new information technologies."
The White House’s Consumer Privacy Bill of Rights includes the following principles, based on the Fair Information Privacy Practices (FIPPs):
- Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
- Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
- Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security: Consumers have a right to secure and responsible handling of personal data.
- Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
- Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
The White House aims to convene a "multi-stakeholder process" whereby "stakeholders who share an interest in specific markets or business contexts," come together in "transparent, open forums" to develop enforceable codes of conduct for US companies. Although the Administration called for comprehensive privacy legislation from Congress, it also called for giving the Federal Trade Commission (FTC) the power to enforce these voluntary Codes of Conduct. In reality, the FTC already has that power, under its existing authority (in Section 5 of the FTC Act) to enforce private companies’ adherence to their privacy promises.
All of this is designed to further "the goal of increased international interoperability" – primarily, to satisfy a radically different privacy model in Europe and get the US deemed as providing "adequate" privacy protection by European standards. If that happened, the US would no longer have to fuss around with binding corporate rules and the Safe Harbor in order to transfer EU data to the US.
While MRA shares that goal, we’re not convinced that simple "harmonization" with foreign privacy laws and practices presents the perfect solution. Europe’s economic decline does not lend itself to a winning argument for why the US should emulate the European Union’s data privacy regime. Innovative data businesses generally develop and grow in the US, not in Europe, and we are hesitant to give up that competitive advantage.
This leads to a problematic rhetorical point in the White House proposal; the concept of a "right to privacy". As explained by the Technology Policy Institute, this would be a massive remaking of the US privacy regime: "Rights are absolute. Once we label something a right, we’re saying we’re beyond the point of considering its costs and benefits." If there were no costs involved in the EU privacy model, we’d probably have implemented it in the US by now.
MRA looks forward to continuing discussions and the multi-stakeholder privacy process. As with comprehensive privacy legislation in Congress, the devil is more in the details than in the concepts. We will continue to focus our attention on the actual details and the real or expected impact on survey and opinion research – in the US and around the world.